Answered by:
Multiple DC/DNS/DHCP servers

-
Hi,
I have a scenario where there is one W2K3 server which is a DC, DHCP and DNS server. There is another W2K8 R2 server which is also has the DC, DNS, and DHCP roles. The W2K8 R2 server previously only had the DC role and the other two roles were added to provide some redundancy. We will be replacing the W2K3 server next month with a W2K8R2 server.
Currently, scavenging is not enabled. This is an AD environment and secure updates only are enabled. Most clients are Windows XP or Windows 7. There are some Layer 2 and 3 switches on the network as well.
I am concerned about stale DNS entries left behind by clients as they reconnect over time. I have read Ace's blog (http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx), and http://expresstaalk.blogspot.in/2011/09/dhcp-on-dns-scavenging-and.html. As our environment is mixed (Server 2003 and Server 2008 R2), I would really appreciate it if someone could please advise on the following:
From what I have understood, I need to carry out the following steps:
W2K3 DC/DNS/DHCP server: Create DHCP service credential and set DHCP service to use this, add the server to the DNSProxyUpdate Group. Enable DNS Option 81 by going to the Zone properties, DNS tab, and then selecting 'Always dymanically update DNS A & PTR Records', 'Discard A and PTR Records when lease is deleted' & 'Dynamicly Update DNS A and PTR Records for DHCP Clients that do not request updates'.
W2K8 R2 DC/DNS/DHCP server: Create DHCP service credential and set DHCP service to use this, add the server to the DNSProxyUpdate Group. Configure Name Protection, and secure the DNSUpdateProxyGroup by running 'dnscmd /config /OpenAclOnProxyUpdates 0 ' .
Will running 'dnscmd /config /OpenAclOnProxyUpdates 0 ' cause any issues given that the DNSProxyUpdate Group will also have the W2K3 server (with the DNS/DC/DHCP roles)?
Additionally, is there anything else I need to do/ look out for?
I also had a look at scavenging on the server and oddly enough, in the Zone Aging/ Scavenging Properties show the zone can be scavenged after 01/01/1601 00:00:00. Is this because scavenging has never been set?
Thanks,
HA
Question
Answers
-
Hi,
Based on your description, I think the configurations are good.
Using DNS servers with DHCP
http://technet.microsoft.com/en-us/library/cc787034%28v=ws.10%29.aspx
Regarding “01/01/1601 00:00:00”, based on my experience, it seems that it is due to scavenging is not enabled.
Don't be afraid of DNS Scavenging. Just be patient.
How DNS Scavenging and the DHCP Lease Duration Relate
Understanding Aging and Scavenging
http://technet.microsoft.com/en-us/library/cc771677.aspx
Thanks.
- Marked as answer by Jeremy_WuMicrosoft contingent staff, Moderator Monday, October 28, 2013 2:40 AM
-
Hi HA,
Based on my knowledge, it will not cause any issue.
Thanks.
- Marked as answer by Jeremy_WuMicrosoft contingent staff, Moderator Monday, October 28, 2013 2:40 AM
All replies
-
Hi,
Based on your description, I think the configurations are good.
Using DNS servers with DHCP
http://technet.microsoft.com/en-us/library/cc787034%28v=ws.10%29.aspx
Regarding “01/01/1601 00:00:00”, based on my experience, it seems that it is due to scavenging is not enabled.
Don't be afraid of DNS Scavenging. Just be patient.
How DNS Scavenging and the DHCP Lease Duration Relate
Understanding Aging and Scavenging
http://technet.microsoft.com/en-us/library/cc771677.aspx
Thanks.
- Marked as answer by Jeremy_WuMicrosoft contingent staff, Moderator Monday, October 28, 2013 2:40 AM
-
Hi,
I would like to check if you need further assistance.
Thanks.
-
Hi Jeremy,
Thank you for your reply and apologies for not getting back to you sooner.
Just for clarification, running 'dnscmd /config /OpenAclOnProxyUpdates 0 ' will not cause any issues, given that one of the servers in the DNSProxyUpdate group will be W2K3? This server will be replaced in the coming weeks with a Windows Server 2008 R2 server.
Thanks,
HA
-
Hi HA,
Based on my knowledge, it will not cause any issue.
Thanks.
- Marked as answer by Jeremy_WuMicrosoft contingent staff, Moderator Monday, October 28, 2013 2:40 AM
-
Hi,
We have not heard from you in a couple of days.
Please post back at your convenience if we can assist further.
Thanks.
-
-
Hi Jeremy,
I tried this in a lab with 2 W2K8 R2 serversw that are DHCP/DC/ DNS and it partially works if I don't enable name protection (Option 181, DHCP credentials, etc are all done). The moment I turn on name protection, the DHCP clients start getting registered as the owners of their records rather than the dhcp credential. Can you please advise?
Furthermore, after turning off name protection, even though I have the option 'Discard A & PTR Records when lease is deleted' , the records don't get deleted after the lease is deleted.
ThanksHA